imfihyiiiimiwuiiiii 

© Publication number: 0 666 694 A1 



© EUROPEAN PATENT APPLICATION 

© Application number: 94119017.5 © Int. CIA H04N 7/167 



© Date ol filing: 02.12.94 



© 


Priority: 02.02.94 US 191031 


Doylestown 




Pennsylvania 18901 (US) 


© 


Date of publication of application: 


Inventor: Kauffman, Marc 




09.08.95 Bulletin 95/32 


420 Franklin Avenue, 
Cheltenham 




Designated Contracting States: 


Pennsylvania 19012 (US) 




BE CH DE DK ES FR GB IE IT LI NL SE 


Inventor: Vince, Lawrence D. 
873 Yorktown Street, 


© 


Applicant: GENERAL INSTRUMENT 


Lansdale 




CORPORATION OF DELAWARE 


Pennsylvania 19446 (US) 




181 West Madison Street 




Chicago, 






Illinois 60602 (US) 


© Representative: Hoeger, Stellrecht & Partner 


© 


Inventor: Hamilton, Jeffrey S. 


Uhlandstrasse 14 c 


3647 Concord Road, 


D-70182 Stuttgart (DE) 




Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



© Method and apparatus for controlling access to digital signals. 



© A method and apparatus are provided for con- 
trolling access to digital signals sent via a first com- 
munication path and retransmitted over a second 
communication path. The digital signals, having been 
encrypted by a first encryption scheme and sent 



over the first communication path, are received and 
decrypted. The decrypted signals are then retrans- 
mitted over the second communication path using a 
second encryption scheme that differs from the first 
encryption scheme. 
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BACKGROUND OF THE INVENTION 

The present invention relates to controlling ac- 
cess to digital signals distributed via a cable televi- 
sion ("CATV") network or the like, and more par- 
ticularly to a method and apparatus for reencryp- 
ting digital signals received from a first commu- 
nication path (e.g. satellite) prior to retransmission 
along a second path such as a CATV network. The 
reencrytion is used to control subscriber access to 
services provided via the second path, such as 
digital video and audio services, audio only ser- 
vices, data services and the like. 

In cable television networks, subscribers are 
connected to a transmission stream carrying, e.g., 
television programs, radio programs, and associ- 
ated data which originates at a headend. To gen- 
erate the transmission stream, the headend re- 
ceives signals from a variety of sources including, 
for example, broadcast stations, data sources and 
premium channels via satellite. The signals are 
combined at the headend into various packages for 
retransmission to subscribers over the CATV net- 
work. 

The CATV network may, e.g., be configured as 
a ring network, star or a tree and branch type 
structure which extends from the headend to feed 
various authorized subscribers. Subscribers may 
be arranged into groups based upon an attribute 
such as type of programming services required. 
For example, a subscriber such as a hospital re- 
quires a particular type of CATV service, i.e., a 
package including such services as data service 
channels and pertinent hospital video/audio chan- 
nels as opposed to a residential subscriber which 
may require a package including family oriented 
channels. 

Presently, to retain control and authorize ac- 
cess to various subscriber groups, the headend 
receives the various signals and, where received in 
an encrypted format, decrypts and retransmits the 
signal in a conventional scrambled analog format to 
provide security for premium channels, thereby 
preventing unauthorized use. Converters and de- 
scramblers located at the subscriber's residence or 
business are connected to receive and descramble 
the transmitted analog signal for end use. Encryp- 
tion schemes for use in digital access control are 
well known, as evidenced by U.S. Patent No. 
4,613,901 to Gilhousen et al., which discloses a 
system and method for encrypting and selectively 
decrypting television signals. An example of an 
analog scrambling system useful in CATV systems 
can be found in U.S. Patent 4,222,068 to Thomp- 
son. 

Unfortunately, pirating of the signal transmitted 
from the headend cannot be prevented. A large 
market for pirate descramblers and the like is 



ready made by the large number of possible end 
users, thus making it very profitable to breach the 
security placed on the transmission at or before the 
headend. This problem is particularly acute in a 
5 digital transmission system, where the use of the 
same encryption scheme along the entire path 
from a programmer to an end user (e.g., via sat- 
ellite and cable communication paths) would en- 
able a security breach to have far reaching effects. 

70 Therefore, it would be advantageous to provide a 
method and apparatus for segmenting the network 
(e.g., between the satellite and CATV systems or 
between different CATV systems) to minimize the 
impact of a security breach. It would be further 

75 advantageous to provide a security scheme for the 
transmission of digital television signals over a ca- 
ble television network. While past CATV systems 
have been primarily analog, the development of 
digital video compression and transmission tech- 

20 niques has made digital television a reality. Yet 
another advantage would be to decrypt and reen- 
crypt a signal without decompressing the data, 
video and/or audio information being transmitted. 
Digital audio services via a CATV network have 

25 also been introduced, further increasing the de- 
mand for effective security schemes. 

In segmenting a communication network, sev- 
eral additional advantages including increased con- 
trol over billing, tiering, pricing, and service pack- 

30 aging throughout the network are realized. For ex- 
ample, in the situation where a CATV network 
extends throughout more than one town or city, 
different pricing for services and different service 
packages may have been contracted for or other- 

35 wise be desirable in different towns. Moreover, 
different subscriber groups, such as businesses 
and residences would require different service 
packages, as previously described, and a seg- 
mented network would provide additional control 

40 over service packaging for various portions of the 
network. The reliable provision of access control for 
such needs must be achieved in order to bring 
these features to the marketplace. 

The present invention provides a method and 

45 apparatus for communicating encrypted digital sig- 
nals over a network having the aforementioned 
features and advantages. 

SUMMARY OF THE INVENTION 

50 

In accordance with the present invention, a 
method and apparatus are provided for controlling 
access to digital signals received via a first com- 
munication path (e.g., a satellite downlink) and re- 
55 transmitted over a second communication path 
(e.g., a CATV network). To achieve this, digital 
signals encrypted by a first encryption scheme and 
transmitted over the first communication path are 
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received and then retransmitted over the second 
communication path using a second encryption 
scheme that differs Irom the first encryption 
scheme. The digital signals sent via the second 
communication path and encrypted by the second 
encryption scheme may also be received and then 
retransmitted over a third communication path us- 
ing a third encryption scheme that differs Irom the 
first and second encryption schemes. The digital 
signals sent via the third communication path and 
encrypted by the third encryption scheme may be 
further received and then retransmitted over addi- 
tional communication paths using additional en- 
cryption schemes. 

In an illustrated embodiment, the digital sig- 
nals, prior to being retransmitted over the second, 
third, or additional communication paths, are de- 
crypted and then reencrypted by the second, third 
or additional encryption schemes. Each of the sec- 
ond, third and additional encryption schemes may 
differ by encryption keys used by the encryption 
schemes. The encryption schemes themselves 
may also differ. For end use, different authorized 
subscribers may receive, and decrypt accordingly, 
the digital signals reencrypted and sent via the 
second, third and/or additional communication 
paths. 

In accordance with an illustrated embodiment 
of the present invention, control data is transmitted 
with the digital signals. The control data may in- 
clude information for "internal" use such as en- 
abling an authorized subscriber to decode and use 
the encrypted television signals. The control data 
may also include information such as program or 
movie identification for "external" use by autho- 
rized subscribers. A first portion of the control data 
may be common to the data streams received from 
the first communication path and retransmitted over 
the second, third and/or additional communication 
paths, while other portion(s) thereof are modified 
and/or added at the headend prior to retransmis- 
sion to subscribers. 

Also in accordance with the illustrated embodi- 
ment of the present invention, the signals are de- 
crypted prior to reencryption using the second, 
third or additional encryption scheme(s). For addi- 
tional security, the decrypted digital signals may be 
reencrypted using a plurality of different encryption 
schemes tor transmission over a corresponding 
plurality of different segments of the network. The 
digital signals retransmitted over the CATV network 
may include a multiplex of television signals, audio 
only signals, and data signals. 

In an illustrated embodiment, the first, second 
and third encryption schemes differ by encryption 
keys used by the encryption schemes. A plurality 
of different encryption schemes may correspond to 
different subscriber groups. 



BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a schematic diagram showing a 
satellite transmission system and a cable televi- 
5 sion network in accordance with the present 

invention; 

Figure 2 is a block diagram of the satellite 
transmission system and cable network of Fig- 
ure 1; 

w Figure 3 is a block diagram of a reencryption 

transcoder for controlling access to digital sig- 
nals in accordance with the present invention; 
and 

Figure 4 is a block diagram showing a plurality 
75 of reencryption transcoders used to provide dif- 

ferent encryption schemes along different net- 
work segments in accordance with the present 
invention. 

20 DETAILED DESCRIPTION OF THE INVENTION 

Figure 1 illustrates a satellite uplink transmis- 
sion system generally designated 10, a satellite 12, 
and a cable television network generally designated 

25 14 in accordance with the present invention. Cable 
television network 14 is illustrated herein as a pub- 
lic cable television network, however, it will be 
appreciated that the present invention may also be 
used in connection with private cable systems such 

30 as those serving an apartment complex, hotel or 
institution. Moreover, the present invention is also 
useful in securing local area networks (LAN) and 
wide area networks (WAN). It will be noted that the 
cable television network 14 may be considered a 

35 wide area network. 

The satellite transmission system 10 includes a 
transmitter 20 and a dish 22 for transmitting digital 
signals 24 up to the satellite 12. A plurality of 
different digital signals are preferably transmitted in 

40 a multiplexed format, although it will be appreciated 
that any suitable format may be employed. Trans- 
mitter 20 receives input from several sources in- 
cluding programmer audio and video channels 26 
which may be, for example, television program- 
's ming such as that sold under one or more of the 
service marks "SHOWTIME", "HOME BOX OF- 
FICE", and "ESPN". Also providing input to the 
transmitter 20 may be a satellite access controller 
30, which will be more fully described hereinafter. 

so The cable television network 14 includes a 

headend 40, a distribution hub 42, and a plurality of 
segments or branches 44, 46, and 48 extending 
from the hub 42. Headend 40 and hub 42 are 
connected by a trunk line 50. Each of branches 44, 

55 46, and 48 terminates in a plurality of subscriber 
ports 52 for end use of the digital signals 24. It will 
be appreciated that the network 14 is illustrated as 
a tree and branch network although any type of 
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network may be utilized including e.g., a star net- 
work. Additionally, one hub 42 and three branches 
44, 46, and 48 are depicted herein tor illustration 
only and any number of each may be employed. 
Further, the hub 42 may be located at the headend 
40 although it is not shown herein as such. 

Referring now also to Figure 2, a cable access 
controller 28 is shown as located at the headend 
40, however, it may alternatively be located at the 
satellite uplink 10. The controller 28 provides cable 
access and billing information (via billing processor 
29) for subscribers. In this way, the controller 28 
provides an authorization data stream which in- 
cludes authorization data for each subscriber such 
as channel authorization and user features, e.g. 
parental control. The controller 28 also includes a 
channel mapper for assigning cable channels to 
each of a plurality of program signals. The control- 
ler 28 may also provide data such as teletext and 
program guides. 

The satellite access controller 30 at the satellite 
uplink similarly includes a channel mapper and an 
access controller. The channel mapper is a con- 
ventional device that provides mapping information 
of the audio and video program signals 26 to 
specific satellite channels for passage over the 
satellite 12. This mapping information is coupled, 
together with the actual program signals 26 to an 
encoder 53, described below. The access control 
portion of the satellite access controller 30 is also 
conventional, and provides decryption authorization 
data for use in decrypting the digital signals 24 
transmitted by transmitter 20. 

The satellite uplink transmitter 20 includes an 
encoder 53 and a modulator 54. The encoder 53 
encrypts the program and satellite control signals 
26 and 30 respectively. A plurality of program 
signals (e.g. HBO, SHOWTIME, ESPN, etc.) is mul- 
tiplexed with the control signals, prior to transmis- 
sion, using a first encryption scheme. Encoder 53 
can comprise for example, a VideoCipher® satellite 
uplink encrypter which is manufactured by General 
Instrument Corporation of San Diego, California, 
U.S.A. The modulator 54 may be any suitable 
satellite modulator well known in the art, such as a 
quadrature phased shift keying (QPSK) or quadra- 
ture amplitude modulation (QAM) modulator. It will 
be appreciated that an error correcting coding 
scheme, such as a Viterbi inner code concatenated 
with a Reed-Solomon outer code, may be used to 
process the data to be transmitted prior to being 
passed on to modulator 54. 

The headend 40 includes a headend reencryp- 
tion transcoder generally designated 58 (Figure 2) 
for receiving, decrypting, reencrypting, and retrans- 
mitting the multiplex of digital program and control 
signals 24. Dish 60 is provided for receiving the 
digital signals 24 from satellite 12. A satellite tuner 



61 and QPSK demodulator 62 are provided to 
demodulate the multiplex of signals 24 for further 
processing. It will be appreciated that as a result of 
demodulation, the digital signals 24 may be sepa- 
5 rated in real (Q) and imaginary (I) planes although, 
for simplicity, this is not shown in the drawings. A 
forward error correcting (FEC) decoder 63, includ- 
ing Viterbi and Reed-Solomon decoders, is pro- 
vided for decoding signals 24. The digital signals 

70 24 may then be decrypted by a decrypter 65. The 
decrypter 65 can decrypt all, a desired plurality, or 
even one of the different program signals contained 
in multiplex 24. 

Authorization data which originates at the cable 

75 access controller 28 is used, e.g., for authorizing 
decryption of particular signals by particular sub- 
scribers downstream of the headend. The cable 
access controller 28 can optionally or alternatively 
receive local control data 68, which may include 

20 authorization data, tag data and converter control 
data. Authorization data may include e.g., encryp- 
tion keys for use by subscriber converters in de- 
crypting programs the subscriber is authorized to 
receive. Information for external (e.g. subscriber) 

25 use, such as program identifiers, may be sent as 
tag data. Converter control data is generated for 
remotely addressing a subscriber converter from 
the headend 40 in the event of, for example, a 
programming change or an impulse purchase of a 

30 program by a subscriber. The converter control 
data can also comprise local channel mapping in- 
formation and/or parental control access informa- 
tion. 

One output of the cable access controller 28 

35 carries the authorization data, tag data and/or con- 
verter control data that is not specific to any one of 
the programs carried in the multiplex 24 to a 
modulator 72. Modulator 72 may be an FM or 
QPSK modulator that modulates the data received 

40 from the transcode controller onto a separate car- 
rier, preferably "out of band" with respect to the 
encrypted video and audio signals, for communica- 
tion to subscriber converters coupled to ports 52. 
Alternatively, in band distribution of the non-pro- 

45 gram specific data could be provided using a mi- 
crowave multichannel distribution system (MMDS). 

In accordance with an important feature of the 
present invention, the decrypted digital signals 24 
are reencrypted prior to retransmission from the 

so headend 40 and preferably without changing the 
underlying format of the signal, e.g. from digital to 
analog. To achieve this, the individual decrypted 
digital signals 24 from decrypter 65 are passed 
through an encrypter 74, and then are remultiplex- 

55 ed at 76 to provide a reencrypted multiplex of 
signals for transmission under the encryption 
scheme provided by the encrypter 74. The reen- 
crypted signals may be again FEC encoded at an 
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FEC encoder 78 lor transmission over the CATV 
network 14. The encrypter 74 preferably uses an 
encryption scheme which differs from the first en- 
cryption scheme used by encoder 53 at satellite 
uplink 10. For example, different versions of the 
Data Encryption Standard (DES) could be used. 
DES is described in Federal Information Process- 
ing Standards Publication 46 ( "FIPS Pub. 46" ) is- 
sued by the National Bureau of Standards, United 
States Department of Commerce, "Announcing the 
Data Encryption Standard," January 15, 1977 and 
FIPS Pub. 74 , "Guidelines for Implementing and 
Using the NBS Data Encryption Standard," April 1, 
1981. It is also possible to simply use different 
encryption keys at the headend than were used at 
the satellite uplink instead of changing the entire 
encryption scheme. 

A modulator 80, which can comprise a QAM 
modulator (e.g.,64-GAM), is provided for modulat- 
ing the reencrypted and FEC encoded digital sig- 
nals 24 at an intermediate frequency. A channel 
converter 82 is provided for upconverting the digital 
signals 24 for use by subscribers. The reencrypted 
and FEC encoded digital signals 24 are combined 
with the non-program specific data from modulator 
72 at a coupler 84, for communication to subscrib- 
ers via cable network 14. It should be appreciated 
that the digital signals 24 may alternatively be 
transmitted as baseband signals over the cable 
network 14 without being modulated onto a carrier. 

Other signals, which may include unscrambled 
video and audio, audio only and/or data only sig- 
nals may be combined with the reencrypted and 
FEC coded digital signals 24 at a coupler 85 for 
distribution over cable network 14 to subscriber 
ports 52 via hub 42. 

One more or more subscriber converter(s) 86 
are connected to each active subscriber port 52 for 
receiving, decrypting and converting the digital sig- 
nals 24 for reproduction on a subscriber appliance 
such as a television set 88. The converter 86 
receives the program signals 24, authorization and 
control data for decryption of the program signals, 
and tag data (e.g., for program identification) as 
described above. 

As shown in more detail in Figure 3, the reen- 
cryption transcoder 58 includes a rate buffer 90 tor 
buffering the signals 24 from the FEC decoder 63, 
prior to input to decrypter 65. Decrypter 65 com- 
municates with a microprocessor 92 which, in turn, 
is coupled to a transcode microprocessor 66 for 
receipt and processing of the authorization and tag 
data. The microprocessor 92 may provide the de- 
crypter 65 with mapping information for decrypting 
various specific channels in the multiplexed signal 
24. A replaceable security element 94 may be 
used as is well known for adding one or more 
additional layer(s) of security. Such a replaceable 



security element is disclosed, lor example, in U.S. 
patent 5,111,504 to Esserman et al. The transcode 
microprocessor 66 may also control the change of, 
e.g., encryption keys which may vary on a routine 

5 basis. For example, once or more each month, the 
encryption keys may be changed to make it more 
difficult to breach the system security. 

The transcode microprocessor 66 outputs con- 
trol data via connector 96, such as the out of band 

70 control data passing through modulator 72 (Figure 
2). Local authorization and control data 68 is re- 
ceived at a connector 98, and is passed to the 
transcode microprocessor 66 via a switch 100 
which may toggle between insertion of the local 

75 data and data received via a data stripper 102. An 
input/output control processor (not shown) may be 
provided for controlling transfer of data via the 
connectors 96 and 98. 

The data stripper 102 strips off the cable au- 

20 thorization data stream from the received and de- 
crypted multiplex of digital signals 24 prior to reen- 
cryption by encrypter 74. As noted above, the 
authorization data stream originates from the cable 
access controller 28 at the headend 40 or the 

25 uplink 10 and, as previously discussed, is used to 
control access to programs by subscribers. 

A data inserter 104 is provided for combining 
data from the transcode microprocessor 66 with the 
decrypted digital signals 24. The inserted data is 

30 used, for example, by the encrypter 74 in generat- 
ing encryption keys for reencrypting signal 24. The 
encrypter 74 communicates with a microprocessor 
106 for mapping purposes in a manner similar to 
that described for the decrypter 65. A replaceable 

35 security element 108 may be provided to enable 
security to be updated as required. The reencryp- 
ted digital signals 24 are then FEC encoded and 
modulated as discussed in connection with Figure 
2 lor output to channel converter 82 via terminal 

40 109. 

In accordance with another important feature of 
the present invention, the hub 42 (Figures 1 and 2) 
may include a reencryption transcoder 58. In this 
way, signals 24 may again be decrypted and then 

45 reencrypted in another encryption scheme to there- 
by further segment the cable network 14. To 
achieve this, rather than receiving digital signals 24 
by way of satellite receiver 110, signals 24 are 
received via cable connector 112 (Figure 3) which 

so is connected to trunk line 50 and then passed to a 
demodulator 114. Thereafter, the digital signals 24 
may be decrypted and reencrypted according to 
Figure 3 as discussed above. 

To even further segment the network 14, each 

55 branch 44, 46 and 48 may include one or more 
additional hubs (not shown) each having a reen- 
cryption transcoder 58 located therein for decryp- 
ting and reencrypting digital signals 24 with dif- 
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lerent encryption schemes. An additional embodi- 
ment is illustrated in Figure 4. This embodiment 
provides a means lor encrypting the digital signals 
24 in a plurality of different encryption schemes for 
passage along separate branches of the network 
14. In this embodiment, digital signals 24 are re- 
ceived at the hub 42 via terminal 120 and are first 
demodulated and decrypted at 122 as described 
above. Thereafter the digital signals 24 are split at 
a splitter 123 for passage to a plurality of reencryp- 
tion transcoders 58a, 58b. ... 58c. Each of the 
reencryption transcoders preferably provides a dif- 
ferent encryption scheme for communication of the 
digital signals 24 over separate branches of the 
network 14. Modulators 124 are provided for re- 
modulating the separately reencrypted digital sig- 
nals 24. Terminals 126, 128, and 130 each connect 
to a respective branch 44, 46, and 48 of the CATV 
network 1 4 shown in Figure 1 . It is also con- 
templated that a plurality of reencryption trans- 
coders 58 may be disposed at one or more addi- 
tional locations within the network 14 for providing 
additional encryption schemes throughout the net- 
work. Such structure reduces the incentive to a 
pirate of solving a particular encryption scheme, by 
reducing the size of a market associated therewith. 

It will also be apparent that the digital signals 
24 may be split at splitter 123 into various pro- 
grammer and service groups based upon type of 
service required, price of service, tiering, billing 
etc. Additionally, digital signals 24 may be split into 
various packages at any point in the network. 

It should now be appreciated that the present 
invention provides a practical system for segment- 
ing a communication network such as a local or 
wide area network to provide enhanced security 
and additional control of functions such as pricing, 
tiering, and billing for a subscriber. In particular, 
digital signals are secured using one access con- 
trol and encryption system for one segment, and, 
without affecting the underlying information signal, 
security is replaced using a secondary access con- 
trol system for secondary branches in the broad- 
cast network. In the illustrated embodiment, digital 
signals originate at a satellite uplink site, and are 
encrypted and secured using an access control 
system whose purpose is to deliver the signal 
securely to satellite television consumers and cable 
system headends. A particular access control and 
billing system is established for this application, 
and pricing, tiering, etc. are established. Without 
decompressing or otherwise changing the format of 
the underlying information signal (e.g., from digital 
to analog), the signal is decrypted using the sat- 
ellite access control system, and subsequently re- 
encrypted using an access control system specific 
to the particular cable system for which it is des- 
tined. This allows each cable system to custom 



tailor its tiering, pricing, billing, channel packaging 
and marketing strategy, by dissociating its local 
access control system from that ol the satellite 
system. An additional benefit of the segmentation 

5 process is to break the universe into many smaller, 
individually secured segments, reducing the size of 
potential pirate targets, and easing recovery in the 
case of a security breach. 

A transcoding device, located in the cable sys- 

70 tern headend, performs the re-encryption process. 
The transcoder is authorized to perform decryption 
of the satellite signal by the satellite authorization 
system, and is given appropriate re-encryption pa- 
rameters by a cable access control computer. The 

75 cable access control computer may be located at 
the satellite uplink, with the transcoder, at a remote 
site such as a nearby business office, or at a 
national or international authorization center. 

so Claims 

1. A method for controlling access to digital sig- 
nals received via a first communication path 
and retransmitted over a second communica- 

25 tion path, comprising the steps of: 

receiving said digital signals via said first 
communication path encrypted by a first en- 
cryption scheme; and 

retransmitting said digital signals over said 
30 second communication path using a second 

encryption scheme that differs from said first 
encryption scheme. 

2. The method of claim 1, further comprising the 
35 steps of: 

receiving said digital signals via said sec- 
ond communication path encrypted by said 
second encryption scheme; and 

retransmitting said digital signals over a 
40 third communication path using a third encryp- 

tion scheme that differs from said first and 
second encryption schemes. 

3. The method of claim 2, further comprising the 
45 steps of: 

receiving said digital signals via said third 
communication path encrypted by said third 
encryption scheme; and 

retransmitting said digital signals over at 
50 least one additional communication path in at 

least one additional encryption scheme. 

4. The method of claim 3, further comprising the 
steps of: 

55 receiving said digital signals via an addi- 

tional communication path encrypted by an 
additional encryption scheme; and 

decrypting said digital signals encrypted 
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by said additional encryption scheme for use 
by an authorized subscriber. 

5. The method of one of claims 2 to 4, wherein 
said digital signals encrypted in said second 
encryption scheme are decrypted and then 
reencrypted by said third encryption scheme 
prior to retransmission over said third commu- 
nication path. 

6. The method of one of claims 3 to 5, wherein 
said digital signals encrypted in said third en- 
cryption scheme are decrypted and then reen- 
crypted by said additional encryption scheme 
prior to retransmission over said additional 
communication path. 

7. The method of one of claims 3 to 6 wherein 
said digital signals are retransmitted over said 
additional communication path using a plurality 
of different encryption schemes to control ac- 
cess to said digital signals. 

8. The method of one of claims 3 to 7 wherein 
said first, second, third and additional encryp- 
tion schemes differ by encryption keys used 
by said encryption schemes. 

9. The method of claim 2, further comprising the 
steps of: 

receiving said digital signals via said third 
communication path encrypted by said third 
encryption scheme; and 

decrypting said digital signals encrypted 
by said third encryption scheme for use by an 
authorized subscriber. 

10. The method of one of claims 2 to 9 wherein 
said digital signals are retransmitted over said 
third communication path using a plurality of 
different encryption schemes to control access 
to said digital signals. 

11. The method of claim 10 wherein at least one of 
said digital signals retransmitted over said third 
communication path is received, decrypted, 
and retransmitted over an additional commu- 
nication path using an additional encryption 
scheme that differs from each of said plurality 
of different encryption schemes. 

12. The method of one of the preceding claims, 
further comprising the steps of: 

receiving said digital signals via said sec- 
ond communication path encrypted by said 
second encryption scheme; and 

decrypting said digital signals encrypted 
by said second encrypt.on scheme for use by 



an authorized subscriber. 

13. The method of one of the preceding claims 
wherein said digital signals are retransmitted 

5 over said second communication path using a 

plurality of different encryption schemes to 
control access to said digital signals. 

14. The method of claim 7, 10 or 13 wherein said 
70 plurality of different encryption schemes are 

used to control access to digital signals based 
upon at least one of subscriber group and 
service provided. 

75 15. The method of claim 13 wherein at least one of 
said digital signals retransmitted over said sec- 
ond communication path is received, decryp- 
ted, and retransmitted over an additional com- 
munication path using an additional encryption 

20 scheme that differs from each of said plurality 

of different encryption schemes. 

16. The method of one of the preceding claims 
wherein said first and second encryption 

25 schemes differ by an encryption key. 

17. The method of one of the preceding claims 
further comprising the step of modifying con- 
trol data transmitted with said digital signals 

30 over said first path prior to retransmitting said 

digital signals over said second communication 
path. 

18. The method of claim 17 wherein said control 
35 data is modified to include access control in- 
formation to enable an authorized subscriber to 
decode and use the encrypted television sig- 
nals. 

40 19. The method of one of claims 17 or 18 wherein 
said control data is modified to include pro- 
gram specific information for use by authorized 
subscribers. 

45 20. The method of one of the preceding claims 
wherein said step of retransmitting said digital 
signals over said second communication path 
comprises the steps of: 

decrypting the received digital signals 
so from said first communication path; 

reencrypting the decrypted digital signals 
using said second encryption scheme; and 

transmitting said digital signals reencryp- 
ted by said second encryption scheme over at 
55 least one first segment of said second commu- 

nication path. 
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21. The method of claim 20 wherein said decryp- 
ted digital signals are reencrypted using a plu- 
rality of different encryption schemes for trans- 
mission over a corresponding plurality of dif- 
ferent segments of said second communication 5 
path. 

22. The method of one of the preceding claims 
wherein said digital signals are at least one of 
television, audio, and data signals. io 

23. A communication network for the secure dis- 
tribution of digital television signals comprising: 

a headend for receiving encrypted digital 
television signals from a satellite television link; 75 

first decryption means at said headend for 
decrypting the received television signals; 

first reencryption means at said headend 
for reencrypting the decrypted television sig- 
nals using a different encryption than that pro- 20 
vided over said satellite link; and 

means for coupling the reencrypted digital 
television signals to a cable television path for 
distribution to a plurality of subscribers. 

25 

24. The network of claim 23, further comprising: 

second decryption means for decrypting 
said reencrypted television signals; 

second reencryption means for again en- 
crypting the digital signals after the decryption 30 
by said second decryption means; and 

means for coupling the again encrypted 
digital signals to said cable television path for 
distribution to another plurality of subscribers. 

35 

25. The network of claim 24, wherein said second 
decryption and second reencryption means are 
located along said cable path. 

26. The network ol one of claims 23 to 25, further 40 
comprising a subscriber decoder for receiving 

and decrypting signals from said cable televi- 
sion path. 

27. The network of one of claims 23 to 26 t further 45 
comprising means for modifying control data 
transmitted with said digital signals over said 
satellite television link for subsequent commu- 
nication to subscribers over said cable televi- 
sion path. so 

28. A method comprising the steps of: 

transmitting first encrypted digital signals 
from a first location to a second location via a 
first communication path; 55 

receiving the first encrypted digital signals 
at the second location; 

transforming the received first encrypted 



digital signals to second encrypted digital sig- 
nals; and 

transmitting the second encrypted digital 
signals from the second location to a third 
location via a second communication path. 
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